December 10, 2003

The high-tech black
marketCopyright infringement is a criminal offense. Meet the new generation of geek outlaws and heroes.

By Annalee Newitz

My daddy was a bank robber

But he never hurt nobody

He just liked to live that way

And he loved to steal your money

The Clash, "Bank Robber"

IT WAS AFTER
midnight on a San Francisco street popular with young hipsters. Groups of glittery girls and boys with 1960s protomullets slid past homeless people too tired to beg for money. As my friends and I rounded a corner, we heard a shuffle and a soft cough. A man huddled in a doorway full of shadow, his arms curled protectively around a cardboard box so old that its edges had gone soft and fuzzy.

"Want to buy some records?" he croaked. "I've got really good old stuff."

I paused, uncertain. He paused, too.

Then, in a voice so low I thought he might be talking to himself, he muttered, "I've got some software, too. You want to buy some software?"

That got my attention. It was the first time anyone had ever offered to sell me pirated software on the street. In New York City the streets are packed with people selling crappy pirated DVDs of new movies, but I had never heard of people doing the same thing with software programs.

"What do you have?" I asked.

He named several expensive and popular music software packages and added, "Plus a whole bunch of sound files I made from rare old albums." He smiled, reached into the invisible depths of his box, and pulled out a shiny jewel case with an unmarked CD in it. A friend of mine wound up giving him 20 bucks for a couple thousand dollars' worth of music software and loads of audio clips. After the deal, we all shook hands, and he introduced himself as DJ Cupcake*, "so you can remember me." When we opened the CD on my computer at home, I discovered he'd named it "grip o shit," as if the disc contained drugs instead of code.

And why not treat the silvery disc like a bag of heroin? Selling pirated software
is a federal crime. Violators face fines of up to $500,000 and five
years in prison. In March a notorious Australian software pirate called
Bandito was charged by a Connecticut federal grand jury with copyright
infringement and - because he was the leader of a software piracy
ring called DrinkorDie - conspiracy. He faces extradition, hundreds
of thousands of dollars in fines, and up to 10 years in prison. Twenty
other members of DrinkorDie have been convicted of felony copyright
infringement as well.

Compared to the DrinkorDie gang, Cupcake is small-time. He's just
selling a handful of pirated titles on the street. These days the
federal government has bigger fish to fry. With the passage of the
Digital Millennium Copyright Act (DMCA) in 1998, it created a whole
new breed of digital outlaw: people who create or distribute tools
that could be used to make pirated copies. Attorneys and activists
compare this to outlawing crowbars because they could be used to break
into somebody's house. And yet the steepest sentences doled out for
criminal copyright infringement in the last couple of years have been
for people selling tools rather than bootlegs.

Copyright criminals

Consider the case of a Florida man who went by the name JungleMike, arrested earlier this year and charged on several counts of copyright infringement for selling modified smart access cards that helped his clients get free satellite TV. It's hard to deny that stealing pay TV, like selling a pirated CD, is a form of theft. But JungleMike wasn't stealing cable. He was selling hardware that other people could use to steal cable if they chose to do it. And yet JungleMike faces up to 30 years in prison, more than a bank robber does. Bank robbery, a form of theft both violent and extreme, carries a sentence of no more than 25 years.

Things weren't always this way. The first criminal provision in U.S. copyright law was added in 1897, more than 100 years after copyrights were defined and codified in the U.S. Constitution. Anyone who has followed the Recording Industry Association of America (RIAA) and the Motion Picture Association of America's push to sue the pants off people pirating media on peer-to-peer networks won't be surprised to discover that this century-old provision made it a misdemeanor to perform copyrighted musical or dramatic compositions "willfully and for profit." Later provisions extended the law to cover all copyrighted materials, and in 1982 a special felony provision was added for first-time infringers of movie and sound-recording copyrights.

It wasn't until 1992 that software found its way into criminal copyright law. Until that time, Cupcake's little sidewalk business might have gotten him sued but it wouldn't have landed him in jail. Now it most assuredly could.

Nevertheless, little changed in criminal copyright law for more than a century. Higher penalties were added, and more forms of media were tacked onto the list of items one might be jailed for copying and selling. But it wasn't until the infamous DMCA that the U.S. public was subjected to a dramatic and weird sea change in the law.

After the passage of the DMCA, it became illegal to "manufacture, import, offer to the public, provide, or otherwise traffic in any technology, product, service, device, component, or part thereof, that is primarily designed or produced for the purpose of circumventing a technological measure that effectively controls access to a [copyrighted] work" (U.S. Criminal Code, title 17, chapter 12, section 1201). What this means is that you can't distribute or sell any kind of object or service that would potentially allow people to circumvent tech that protects media copyrights. This "crime of circumvention" is different from mere infringement because these days copyrighted media are often protected by more than a simple "all rights reserved" statement. If you buy a CD, DVD, or video game, it's likely that even if you wanted to copy it illegally, you couldn't, because a "technological measure" on the disc would stop you. Also known as digital rights management (DRM), this is usually some form of encryption software that is supposed to make it impossible for you to unscramble cable signals, copy DVDs, or put the music files you buy from the iTunes store onto more than one computer.

Of course, in practice the encryption or anticircumvention devices media companies use are generally easy to break. In a famous example, people discovered they could use Magic Markers to black out the parts of their CDs that contained DRM. Once marked up, the CDs could be ripped.

JungleMike, who sold hardware that allowed people to decrypt satellite TV signals, was charged under the section of the criminal code that deals with circumvention. Had he been caught five years ago, he might have faced a zillion-dollar lawsuit, but he wouldn't have been headed to the big house for his entire adult life.

But how can the federal government outlaw tools? That's as silly as making Magic Markers illegal because they could be used as circumvention devices. As activists with the Electronic Frontier Foundation (EFF) argued in a recent white paper, "photocopiers, VCRs, and CD-R burners can also be misused, but no one would suggest that the public give them up simply because they might be used by others to break the law." Most of the circumvention tools the DMCA is designed to prohibit also have legitimate uses.

Perhaps more important, turning circumvention into a crime means that people who have a legal right to make fair-use copies of their media can't. Say, for example, you're a music professor who wants to make copies of certain songs available for students to download and listen to for class. These kinds of copies fall under a fair-use exemption to copyright law because they are being used purely for scholarly inquiry. It's also legal for people to make personal backup copies of media they have purchased. But under the DMCA, the tools to make these perfectly legal copies simply won't be available outside the black market. While the DMCA does provide exemptions for research and fair use, getting the tools to make good on said exemptions is such a thorny problem that technologists worry the law will stifle innovation and scholarly inquiry.

For these reasons and more, the DMCA has created a consumer rights crisis. People are being physically restrained from making legal copies of CDs and DVDs they have legitimately purchased. Moreover, they are also being told they cannot modify their game systems and computers to play backup copies. The Xbox game system will not play backup copies of games, regardless of whether they are legal copies. DVDs come with an encryption scheme called CSS that prevents people from playing their DVDs on computers running the Linux operating system. A program called DeCSS that allows Linux users like myself to play the movies we've bought is illegal under the DMCA because it has to decrypt the copy protection in order to play movies. But why shouldn't I be able to play my movies on any machine I want? Why shouldn't I be allowed to use my game system to play my backup games?

Increasingly, consumers are having to ask these questions  and in many cases, they are starting to challenge the law. But the outcome of these challenges remains uncertain. What's clear, however, is that the DMCA's anticircumvention provision has created a thriving black market where geeks rule.

Garage modder

Somewhere in Silicon Valley, a twentysomething man who goes by the name Bear is making $6,000 profit a month selling copyright circumvention devices. To be more precise, he sells and installs chips for the Xbox and Playstation that allow people to play copied games. I found him on a community Web site, offering his service  known as "modding"  for $70 a game system. After I exchanged a few e-mails with him, he agreed to an interview with me.

My hacker pals Mason and Dixon came along for the ride. Like many geeks of their generation, Mason and Dixon don't take kindly to giant corporations using DRM to cripple the hardware they sell. "If I buy an Xbox, it's mine to do with as I please," Mason told me hotly. "I don't want it all fucked up with copy protection bullshit. I want to play whatever the hell I want."

We arrived in the quiet South Bay suburb on a Friday around 8 p.m., which is when Bear's shop opens for business. He'd given me an address and told me to "just knock on the garage door." As I hesitantly rapped on the metal, a clot of teenagers crossed the street and headed toward us, giggling and whispering excitedly as they arrived at Bear's garage. "Gang's all here," one of them announced, grinning.

Bear seemed to materialize out of nowhere. He looked as if he'd just gotten home from work, which in fact he had. Although he'd spent the last eight hours slaving over a hot keyboard coding for a large software corporation, his shirt and pants looked freshly ironed and he had a kind word for everyone. After some handshakes and hugs, he brought all of us inside.

The garage was like some kind of gamer palace. In the corner, a couple of guys sat on a plump couch playing a modded Playstation. One wall was taken up with a large engineer's workstation, a thick wooden table covered with hard drives, stacks of tiny boxes full of chips and soldering equipment, and a few motherboards Bear's little brother was delicately working on. A frown of concentration crossed his face as he attached a hair-thin wire from a chip to the board.

On a table in the center of the room were two hard, silvery suitcases, the kind heroes in caper movies always use to carry loot. They were packed with tidy rows of disks, neatly labeled and organized alphabetically. The teenagers who came in with us swarmed around them, excitedly exclaiming. One, the only girl in the room besides me, sat down in a chair and looked aggressively bored. The suitcases were full of pirated games, which at $7 a pop are $45 cheaper than most games on the legit market.

Surveying the room, with its comfy sofas and teenage energy, I was once again reminded forcefully of the similarities between the black market software business and that of a drug dealer. Here, among dorks with hard drives and video game obsessions, I found the same weird sense of guarded cheerfulness and barely concealed paranoid hysteria that has permeated the home of every drug dealer I've ever visited. There was even the same Friday-night party crowd: dozens of people swirled in and out, stocking up on goodies for the weekend.

But there was also something there that no drug den could ever have: a sense of good, clean fun. "Look at this," Bear said to me, gesturing expansively. "See how cool it is? These people are like my family. Nobody wants to leave  they all want to stick around and hang out." And he was right. Despite the look of excited naughtiness I saw in his customers' eyes, there was also a lot of shooting the breeze and goofing around. A middle-aged guy waiting for his Xbox mods to be finished told me about his pet minihamsters. Kids swapped stories about their favorite games and tried the modded Playstation in the corner. I chatted with Bear's brother about what he was working on, and he showed me several types of chips he uses to circumvent DRM on the Xbox.

After tending to his customers with the kind of polished, professional charm one expects from people hawking wares at a technical convention, Bear retreated into the house where he lives with his extended family. His sister kindly fussed over him, scolding him for not eating enough and pouring a steaming bowl of egg-drop soup. Between hasty sips, customer phone calls, and periodic requests for help from his little brother, Bear told me his story.

He started the modding and pirating business a year ago, after he got laid off from a job in software development. "If my parents were rich, I could be in a different market," he explained. "But you need money to start your own business. So I started from the bottom. All my life I've done something besides my main job, something on the left and the right, you know?" The garage shop started slowly, with Bear modding Xboxes for fun. "But I could see where it was going," he said, shrugging. "Too many of my friends wanted me to do it, so I started charging." At first he pulled in a few hundred dollars a week. But a year later, during holiday season, he says he's reached a high point at $6,000 a month.

His typical customer is "a mature adult who doesn't play games," he explained. These people want him to mod their Xboxes so they can use Xbox Media Player to play movies on their game systems. Currently, DRM on the Xbox doesn't allow people to do this, despite its obvious appeal.

Now that he's working full-time again, Bear hopes he can sock away enough cash to go straight. "I want to be in the legit market instead of like this," he said. "I want to use this money to create a business where I can deal a lot with people, which is what I love to do." When I asked him if he knew he could go to jail for what he's doing, he looked genuinely frightened. I explained that in April, a modchipper in Virginia with the handle krazy8 was sentenced to five months in jail and a $28,000 fine. Bear hadn't heard of the case, but it was clear he knew that was a possibility.

"I worry about the risk all the time," he admitted. "Basically, I hope I don't get busted, but if I do, I'll just be honest and explain how hard I work on this and how much I love it. I help so many people, and the harm I've done to the companies isn't worth jail time." He pondered for a moment, sipping his soup. "Anyway, my customers are the coolest people. They share games and buy for their brothers and sisters. Besides," he added, sighing, "my mom and dad can't give me any money. I need the work."

A few days later, I spoke with one of Bear's customers, who asked to remain anonymous. "I actually work at Microsoft, but I still modded my Xbox because I wanted to watch movies on it," he confessed. "And I'm not the only Microsoft employee who feels this way."

He said the main drawback to modding is that if you forget to turn your modchip off and try to play yourXbox over the Internet, Microsoft will figure out what you've done and shut down your online gaming account. He added, "I also think that Microsoft knows how popular modding is and that they are keeping a close eye on what people are doing so they can figure out what to add to the next generation of Xboxes."

Geeks in white hats

So far, Microsoft and Sony haven't gone after anyone for circumventing the DRM in their game systems. Nevertheless, Bear isn't the only modder who lives in fear that his garage tinkering will capture the attention of federal agents and land him in jail. Bunnie, a former MIT graduate student and the author of Hacking the Xbox, secured legal representation from the EFF before publishing his book (see Techsploitation, 9/17/03).

Unlike Bear, bunnie isn't running a black market modding shop: he's just an engineer with a lot of curiosity. Among geeks he'd be called a "white hat" hacker  the kind who tinkers with machines out of a desire to learn and explore. Along with other white hats, like Princeton University professor Ed Felton  who cracked copy protection software the RIAA wanted to put on CD players  bunnie hacks on DRM for both intellectual and political motives. Essentially, he wants to demonstrate that there are legitimate reasons for people to circumvent DRM. In his case, that reason was to make his Xbox run the Linux operating system. Attorneys with the EFF suggested that this meant bunnie's work qualified for an exemption under the DMCA, which states that people may circumvent copy protection schemes if they are doing it to make their machines "interoperable" with other technologies.

When I asked Bear if he'd ever thought of hacking Xboxes to run Linux on them, he wasn't interested. "I'd lose cred if I did that," he commented. Clearly, there's a difference between bunnie's and Bear's work. The government argues that what bunnie does is fine while what Bear does isn't. But they both perform exactly the same modifications to the Xbox hardware when they add a circumvention chip. So when the government goes after a modder like Bear, it has to prove intent  always a dicey proposition.

Wendy Seltzer, an attorney with the EFF, says there's definitely a blurry line between Bear's business and one that is clearly legal. "The statute [of the DMCA] requires that [his services are] being offered 'primarily for the use of circumvention,' " she explained. "So therefore saying, 'I want to mod your box' is different from 'You can use this to play pirated games.' The latter treads closer to the line." There are even, Seltzer added, "commercially significant noninfringing uses" for a modded Xbox, which explains why a search for "modded Xbox" on Google will turn up several Web sites where you can buy a premodded game system. As long as the machines are being sold for interoperability with Linux or other technologies, they occupy a legal gray area nobody has yet challenged. Except for krazy8's case, people caught selling modchips have mostly settled out of court.

Seltzer speculates that companies may be loath to tip off the U.S. Attorney's Office to modders' businesses because of the horrendous public relations mess that developed when Adobe had a young Russian hacker named Dmitry Sklyarov arrested in 2001 for writing a program called Advanced eBook Processor that circumvented copy protection on the company's eBooks. Sklyarov, whose program was legal in Russia, was arrested when he came to the United States to deliver a paper on his work at a conference. During his detention, he became a cause célèbre among tech activists, who held large protests outside the Adobe offices until shamefaced executives dropped their complaint against him. He was released a few weeks later and allowed to return to Russia. Sklyarov's employer, ElcomSoft, which marketed his tool, fought the charges and won.

Because the Sklyarov case was so high-profile and inspired such widespread approbation, activists like bunnie are probably safer than they might have been a few years ago.

But crimes of circumvention are only going to become more common in the United States as the government and industry begin widespread deployment of smart cards for everything from IDs to cash cards. A smart card is any card with a computer chip in it, and as JungleMike's case makes clear, satellite TV companies using such cards in their systems created quite the lucrative black market for circumvention devices. Over the next two years, Visa will be rolling out "wireless smart cards" that can be used for everything from subway fares to supermarket purchases. Next year the city of San Francisco will be putting smart card readers into parking meters so people can use their TransLink cards to pay for parking as well as bridge tolls.

To understand the vast potential for a black market in smart card hacks, we need only look to Europe, where smart cards have been in heavy use for the past decade. Ross Anderson, a computer scientist at Cambridge University, has written extensively about the security of smart cards. "Smart card hacking has been an established industry in Europe for almost ten years," he said via e-mail. "The widespread use of smart cards for satellite TV got it started, then the phone companies started using smart cards [in phones].... We're about to have smart card-based identity documents, which will create a serious criminal market, and smart card-based bank cards, which will motivate lots of people to learn about the technology."

The black market in circumvention devices could soon include smart card hacks
that would keep your bank account fat and your phone bill low. But
as the stakes get higher in crimes of circumvention, the losers are
bound to be innocent consumers and white-hat hackers. In their efforts
to stop crime, corporations and the government are using DRM and the
DMCA to stamp out our ability to make fair use of our media. When
we cannot do what we like with our machines in our own homes, we are
losing what Princeton professor Felton calls our "freedom to
tinker." Ultimately, we may lose far more: our ability to innovate,
to pass on our knowledge, and to understand how the technology that
runs our world works.